From 3357a06d4aeffa53a8fb69faf6d85232820103f3 Mon Sep 17 00:00:00 2001 From: Sander Roosendaal Date: Thu, 29 Aug 2019 07:47:02 +0200 Subject: [PATCH 1/2] improved privileges --- rowers/teams.py | 4 ++-- rowers/views/teamviews.py | 21 +++++++++------------ 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/rowers/teams.py b/rowers/teams.py index a11cbdae..4c8ee0a4 100644 --- a/rowers/teams.py +++ b/rowers/teams.py @@ -135,8 +135,8 @@ def add_member(id,rower): t= Team.objects.get(id=id) try: rower.team.add(t) - except ValidationError: - return(0,"Couldn't add member") + except ValidationError as e: + return(0,"Couldn't add member: "+str(e.message)) # code to add all workouts ws = Workout.objects.filter(user=rower) diff --git a/rowers/views/teamviews.py b/rowers/views/teamviews.py index 8610beaa..fcf5b1e1 100644 --- a/rowers/views/teamviews.py +++ b/rowers/views/teamviews.py @@ -168,19 +168,22 @@ def get_teams(request): private='open').exclude( rower=r).exclude(manager=request.user).order_by('name') + if rower.rowerplan == 'basic': + otherteams.exclude(manager__rower__rowerplan='freecoach') + return myteams, memberteams, otherteams @login_required() -def rower_teams_view(request,message='',successmessage=''): +def rower_teams_view(request): if request.method == 'POST': form = TeamInviteCodeForm(request.POST) if form.is_valid(): code = form.cleaned_data['code'] res,text = teams.process_invite_code(request.user,code) if res: - successmessage = text + messages.info(request,text) else: - message = text + messages.error(request,text) else: form = TeamInviteCodeForm() @@ -249,8 +252,6 @@ def rower_teams_view(request,message='',successmessage=''): # clubsize = teams.count_invites(request.user)+teams.count_club_members(request.user) # max_clubsize = r.clubsize - messages.info(request,successmessage) - messages.error(request,message) breadcrumbs = [ { @@ -312,18 +313,14 @@ def manager_member_drop_view(request,teamid,userid, return HttpResponseRedirect(url) @login_required() -def manager_requests_view(request,code=None,message='',successmessage=''): +def manager_requests_view(request,code=None): if code: res,text = teams.process_request_code(request.user,code) if res: - successmessage = text - message = '' + messages.info(request,text) else: - message = text - successmessage = '' + messages.error(request,text) - messages.info(request,successmessage) - messages.error(request,message) url = reverse(rower_teams_view,kwargs={ }) return HttpResponseRedirect(url) From b6a1a7646b86da349d7b555bc424a60231f118f9 Mon Sep 17 00:00:00 2001 From: Sander Roosendaal Date: Thu, 29 Aug 2019 07:59:13 +0200 Subject: [PATCH 2/2] fixed access to teams --- rowers/views/teamviews.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/rowers/views/teamviews.py b/rowers/views/teamviews.py index fcf5b1e1..36c6b85b 100644 --- a/rowers/views/teamviews.py +++ b/rowers/views/teamviews.py @@ -15,12 +15,17 @@ def team_view(request,id=0,userid=0): myteams, memberteams, otherteams = get_teams(request) teams.remove_expired_invites() + try: t = Team.objects.get(id=id) except Team.DoesNotExist: raise Http404("Team doesn't exist") + if r.rowerplan == 'basic' and t.manager.rower.rowerplan != 'coach': + raise PermissionDenied("You need to be on a Paid Plan to see or join this team") + + q = User.objects.filter(rower__isnull=False,rower__team__in=myteams).distinct().exclude(rower__team__name=t.name) mygroups = [request.user.rower.mycoachgroup] q2 = User.objects.filter(rower__isnull=False,rower__coachinggroups__in=mygroups).distinct().exclude(rower__team__name=t.name) @@ -168,8 +173,8 @@ def get_teams(request): private='open').exclude( rower=r).exclude(manager=request.user).order_by('name') - if rower.rowerplan == 'basic': - otherteams.exclude(manager__rower__rowerplan='freecoach') + if r.rowerplan == 'basic': + otherteams = otherteams.filter(manager__rower__rowerplan='coach') return myteams, memberteams, otherteams